Every day, I hear more and more about GDPR, but what exactly is it and how will it affect both you and companies that you may deal with or work for?
Simply put, Global Data Protection Regulations (GDPR) are a set of regulations which the European Union (EU) is bringing in to strengthen and unify data protection for all persons within the EU. GDPR also covers the export of personal data outside of the EU.
GDPR: Who Owns the Data?
The primary objective of GDPR is to give control back to EU citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within EU Law. This regulation was adopted in 2016. It will come into force in May 2018. In the UK, the government has made it clear that GDPR will still be in place even after the UK leaves the EU. It's important to point out that GDPR will extend the scope of the EU data protection law to ALL foreign companies processing data concerning EU residents. This has big implications for all businesses. Failure to comply with the EU General Data Protection Regulation (GDPR) can expose your organization to a penalty of up to 4% of global revenue.
Data Controllers vs. Data Processors
Basically, GDPR makes a distinction between what it calls 'controllers' of data and 'processors' of data. The controller says how and why personal data is processed and the processor acts on the controller's behalf.
If you are a processor, the GDPR regulations place legal obligations on your company. As an example, you would be required to maintain records of personal data and processing activities and you will have significantly more liability if you are found responsible for a breach of the regulations. It's important to note here that these obligations for processors are a new requirement under the GDPR and have a very important impact on all persons and organizations.
If you are a controller, you are not free of all obligations either. The GDPR regulations place additional obligations on you to ensure your contracts with processors comply with the regulations. So, in effect, the company has responsibilities and so does the individual.
Defining Personal Data
Organizations can find themselves in breach of these regulations by both their own actions and those of their employees. GDPR will apply to what it defines as "personal data." However, the definition of this definition is quite broad. It will apply to a wide range of personal identifiers that can be used to constitute personal data, this will include all metadata which reflects the way organizations now collect information about people. This will affect any organization keeping records on any person within the EU.
If you are not planning for GDPR now, you should be. Taking steps now (and onboarding the right data management solutions) will help you get ahead even while time is short.